Skip to content

Instantly share code, notes, and snippets.

@LostKobrakai
Last active May 22, 2023 21:07
Show Gist options
  • Save LostKobrakai/b895e2e0e8a2c14b4da88cc7e16cf954 to your computer and use it in GitHub Desktop.
Save LostKobrakai/b895e2e0e8a2c14b4da88cc7e16cf954 to your computer and use it in GitHub Desktop.
server {
## [Default Nginx Configuration]
# .htaccess 8.1
charset utf-8;
# .htaccess 3.
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; }
# .htaccess 4.
# add_header X-Frame-Options SAMEORIGIN always; # Set by ProcessWire core
add_header X-XSS-Protection "1; mode=block";
# add_header X-Content-Type-Options "nosniff";
# -----------------------------------------------------------------------------------------------
# .htaccess 5.
# -----------------------------------------------------------------------------------------------
# Block access to ProcessWire system files
location ~ \.(inc|info|info\.json|module|sh|sql)$ { deny all; }
# Block access to composer files
location ~ composer\.(json|lock)$ { deny all; }
# Block access to any file or directory that begins with a period (except well-known)
location ~ (^|/)\.(?!well-known)|^\..*$ { deny all; }
# -----------------------------------------------------------------------------------------------
# .htaccess 15.
# -----------------------------------------------------------------------------------------------
# Block access to protected assets directories
location ~ ^/(site|site-[^/]+)/assets/(cache|logs|backups|sessions|config|install|tmp)($|/.*$) { deny all; }
# Block acceess to the /site/install/ directory
location ~ ^/(site|site-[^/]+)/install($|/.*$) { deny all; }
# Block dirs in /site/assets/ dirs that start with a hyphen
location ~ ^/(site|site-[^/]+)/assets.*/-.+/.* { deny all; }
# Block access to /wire/config.php, /site/config.php, /site/config-dev.php, and /wire/index.config.php
location ~ ^/(wire|site|site-[^/]+)/(config|index\.config|config-dev)\.php$ { deny all; }
# Block access to any PHP-based files in /templates-admin/
location ~ ^/(wire|site|site-[^/]+)/templates-admin($|/|/.*\.(php|html?|tpl|inc))$ { deny all; }
# Block access to any PHP or markup files in /site/templates/
location ~ ^/(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))$ { deny all; }
# Block access to any PHP files in /site/assets/
location ~ ^/(site|site-[^/]+)/assets($|/|/.*\.php)$ { deny all; }
# Block access to any PHP files in core or core module directories
location ~ ^/wire/(core|modules)/.*\.(php|inc|tpl|module)$ { deny all; }
# Block access to any PHP files in /site/modules/
location ~ ^/(site|site-[^/]+)/modules/.*\.(php|inc|tpl|module)$ { deny all; }
# Block access to any software identifying txt files
location ~ ^/(COPYRIGHT|INSTALL|README|htaccess)\.(txt|md)$ { deny all; }
# Block all http access to the default/uninstalled site-default directory
location ~ ^/site-default/ { deny all; }
# -----------------------------------------------------------------------------------------------
# If the request is for a static file, then set expires header and disable logging.
# Give control to ProcessWire if the requested file or directory is non-existing.
# -----------------------------------------------------------------------------------------------
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|eot|woff|ttf)$ {
expires 24h;
log_not_found off;
access_log off;
try_files $uri /index.php?it=$uri&$args;
}
# -----------------------------------------------------------------------------------------------
# This location processes all other requests. If the request is for a file or directory that
# physically exists on the server, then load the file. Else give control to ProcessWire.
# -----------------------------------------------------------------------------------------------
location / {
try_files $uri $uri/ /index.php?it=$uri&$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# .htaccess 10.
fastcgi_param HTTP_MOD_REWRITE On;
fastcgi_param X-Real-IP $remote_addr;
fastcgi_param X-Forwarded-For $remote_addr;
fastcgi_param Host $host;
fastcgi_pass unix:/var/run/example.com_fpm.sock;
}
}
server {
listen 80;
listen [::]:80;
server_name example.org;
return 301 https://example.org$request_uri;
}
server{
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/ssl/cert.crt;
ssl_certificate_key /etc/ssl/key.key;
## [Other ssl things]
## [Above config]
}
server {
listen 80;
listen [::]:80;
server_name example.org;
return 301 http://www.example.org$request_uri;
}
server{
listen 80;
listen [::]:80;
server_name www.example.org;
## [Above config]
}
server {
listen 80;
listen [::]:80;
server_name www.example.org;
return 301 http://example.org$request_uri;
}
server{
listen 80;
listen [::]:80;
server_name example.org;
## [Above config]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment